OptionsWindow
0
0
659
479
0
0
0
0
16777215
16777215
SandboxiePlus Options
-
-
true
QTabWidget::North
8
General Options
-
0
Box Options
-
-
75
true
true
Appearance
-
-
-
75
true
true
General Configuration
-
-
Box Type Preset:
Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter
-
Sandbox Indicator in title:
Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter
-
px Width
Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter
-
Sandboxed window border:
Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter
-
Box info
Qt::AutoText
true
-
-
1
10
1
-
Show this box in the 'run in box' selection prompt
-
Qt::Horizontal
40
20
-
-
0
0
16
16777215
-
<b>More Box Types</b> are exclusively available to <u>project supporters</u>, the Privacy Enhanced boxes <b><font color='red'>protect user data from illicit access</font></b> by the sandboxed programs.<br />If you are not yet a supporter, then please consider <a href="https://sandboxie-plus.com/go.php?to=sbie-get-cert">supporting the project</a>, to receive a <a href="https://sandboxie-plus.com/go.php?to=sbie-cert">supporter certificate</a>.<br />You can test the other box types by creating new sandboxes of those types, however processes in these will be auto terminated after 5 minutes.
Qt::RichText
true
-
Qt::Vertical
20
40
File Options
-
-
Auto delete content when last sandboxed process terminates
-
Copy file size limit:
-
75
true
true
Box Delete options
-
Qt::Horizontal
40
20
-
Protect this sandbox from deletion or emptying
-
75
true
true
Raw Disk access
-
75
true
true
File Migration
-
Allow elevated sandboxed applications to read the harddrive
-
Warn when an application opens a harddrive handle
-
kilobytes
-
75
16777215
-
Issue message 2102 when a file is too large
-
Qt::Vertical
20
40
-
20
16777215
-
Prompt user for large file migration
Admin Rights
-
-
Qt::Vertical
20
40
-
Qt::Horizontal
40
20
-
75
true
true
(Recommended)
-
75
true
true
Protect the system from sandboxed processes
Elevation restrictions
-
75
true
true
CAUTION: When running under the built in administrator, processes can not drop administrative privileges.
true
-
Make applications think they are running elevated (allows to run installers safely)
-
Note: Msi Installer Exemptions should not be required, but if you encounter issues installing a msi package which you trust, this option may help the installation complete successfully. You can also try disabling drop admin rights.
true
-
Qt::Horizontal
QSizePolicy::Maximum
20
20
-
75
true
true
Security note: Elevated applications running under the supervision of Sandboxie, with an admin or system token, have more opportunities to bypass isolation and modify the system outside the sandbox.
true
-
Drop rights from Administrators and Power Users groups
-
Allow MSIServer to run with a sandboxed system token and apply other exceptions if required
Access Restrictions
-
-
Open Windows Credentials Store (user mode)
-
0
0
Allow the print spooler to print to files outside the sandbox
-
Remove spooler restriction, printers can be installed outside the sandbox
-
Qt::Vertical
20
40
-
Block read access to the clipboard
-
Open System Protected Storage
-
Block access to the printer spooler
-
75
true
true
Protect the system from sandboxed processes
Other restrictions
-
Qt::Horizontal
40
20
-
75
true
true
Protect the system from sandboxed processes
Printing restrictions
-
20
0
20
16777215
-
75
true
true
Protect the system from sandboxed processes
Network restrictions
-
Block network files and folders, unless specifically opened.
-
Prevent change to network and firewall parameters (user mode)
Run Menu
-
You can configure custom entries for the sandbox run menu.
true
-
Qt::Vertical
20
40
-
Name
Command Line
-
0
0
0
23
Add program
-
0
0
0
23
Remove
Auto Start
-
Here you can specify programs and/or services that are to be started automatically in the sandbox when it is activated
true
-
Type
Program/Service
-
0
0
0
23
Remove
-
Qt::Vertical
20
40
-
0
0
0
23
Add program
-
0
0
0
23
Add service
Program Groups
-
-
Add Group
-
Qt::Vertical
20
40
-
true
Name
-
Add Program
-
You can group programs together and give them a group name. Program groups can be used with some of the settings instead of program names. Groups defined for the box overwrite groups defined in templates.
true
-
Remove
-
Show Templates
Forced Programs
9
9
9
9
-
-
Remove
-
Force Folder
-
true
Type
Path
-
Force Program
-
Qt::Vertical
20
40
-
Show Templates
-
Programs entered here, or programs started from entered locations, will be put in this sandbox automatically, unless they are explicitly started in another sandbox.
true
Stop Behaviour
-
-
Remove Program
-
Qt::Vertical
20
40
-
Add Leader Program
-
Add Lingering Program
-
true
Type
Path
-
Show Templates
-
Lingering programs will be automatically terminated if they are still running after all other processes have been terminated.
If leader processes are defined, all others are treated as lingering processes.
true
Start Restrictions
-
-
true
Name
-
Qt::Vertical
20
40
-
Remove Program
-
Issue message 1308 when a program fails to start
-
Add Program
-
0
-
Allow only selected programs to start in this sandbox. *
-
Prevent selected programs from starting in this sandbox.
-
Allow all programs to start in this sandbox.
-
* Note: Programs installed to this sandbox won't be able to start at all.
true
Internet Restrictions
-
0
Process Restrictions
3
6
3
0
-
-
Issue message 1307 when a program is denied internet access
-
Add Program
-
Prompt user whether to allow an exemption from the blockade.
-
Remove Program
-
Note: Programs installed to this sandbox won't be able to access the internet at all.
-
Qt::Vertical
20
40
-
true
Name
Access
-
-
Set network/internet access for unlisted processes:
-
Network Firewall Rules
3
3
0
-
-
Qt::Vertical
20
40
-
-
Test Rules, Program:
-
-
Port:
-
-
IP:
-
-
Protocol:
-
-
X
-
Remove Rule
-
Add Rule
-
Program
Action
Port
IP
Protocol
-
Show Templates
-
75
true
true
CAUTION: Windows Filtering Platform is not enabled with the driver, therefore these rules will be applied only in user mode and can not be enforced!!! This means that malicious applications may bypass them.
true
Resource Access
-
0
Resource Access Rules
3
6
3
0
-
-
0
0
0
23
Add Wnd Class
-
Configure which processes can access what resources. Double click on an entry to edit it.
'Open' File and Key access only applies to program binaries located outside the sandbox.
You can use 'Open for All' instead to make it apply to all programs, or change this behaviour in the Policies tab.
-
0
0
0
23
Add COM Object
-
0
0
0
23
Add Reg Key
-
Remove
-
Qt::Vertical
20
40
-
0
0
0
23
Add IPC Path
-
true
Type
Program
Access
Path
-
Show Templates
-
0
0
0
23
Add File/Folder
Resource Access Policies
9
9
9
9
-
-
Qt::Horizontal
40
20
-
The rule specificity is a measure to how well a given rule matches a particular path, simply put the specificity is the length of characters from the begin of the path up to and including the last matching non-wildcard substring. A rule which matches only file types like "*.tmp" would have the highest specificity as it would always match the entire file path.
The process match level has a higher priority than the specificity and describes how a rule applies to a given process. Rules applying by process name or group have the strongest match level, followed by the match by negation (i.e. rules applying to all processes but the given one), while the lowest match levels have global matches, i.e. rules that apply to any process.
true
-
Qt::Vertical
20
40
-
Prioritize rules based on their Specificity and Process Match Level
-
Privacy Mode, block file and registry access to all locations except the generic system ones
-
75
true
true
Access Mode
-
When the Privacy Mode is enabled, sandboxed processes will be only able to read C:\Windows\*, C:\Program Files\*, and parts of the HKLM registry, all other locations will need explicit access to be readable and/or writable. In this mode, Rule Specificity is always enabled.
true
-
75
true
true
Rule Policies
-
Apply Close...=!<program>,... rules also to all binaries located in the sandboxed.
-
Apply File and Key Open directives only to binaries located outside the sandbox.
File Recovery
-
-
Qt::Vertical
20
40
-
Add Folder
-
Ignore Extension
-
Ignore Folder
-
Show Templates
-
Enable Immediate Recovery prompt to be able to recover files as soon as they are created.
-
Qt::Vertical
QSizePolicy::Preferred
20
40
-
Type
Name
-
Remove
-
You can exclude folders and file types (or file extensions) from Immediate Recovery.
true
-
When the Quick Recovery function is invoked, the following folders will be checked for sandboxed content.
true
Advanced Options
-
-
50
false
true
0
50
false
true
Miscellaneous
-
-
Emulate sandboxed window station for all processes
-
Drop critical privileges from processes running with a SYSTEM token
-
Add sandboxed processes to job objects (recommended)
-
Do not start sandboxed services using a system token (recommended)
-
Protect sandboxed SYSTEM processes from unprivileged processes
-
Open access to COM infrastructure (not recommended)
-
Allow only privileged processes to access the Service Control Manager
-
Force usage of custom dummy Manifest files (legacy behaviour)
-
75
true
true
(Security Critical)
-
Qt::Horizontal
40
20
-
Start the sandboxed RpcSs as a SYSTEM process (not recommended)
-
Don't alter window class names created by sandboxed programs
-
75
true
true
Compatibility
-
Qt::Vertical
20
40
-
75
true
true
(Security Critical)
-
75
true
true
Protect the sandbox integrity itself
Sandbox isolation
-
75
true
true
Protect the sandbox integrity itself
COM/RPC
-
Allow use of nested job objects (experimental, works on Windows 8 and later)
-
Disable the use of RpcMgmtSetComTimeout by default (this may resolve compatibility issues)
Isolation
-
-
Security Isolation through the usage of a heavily restricted process token is Sandboxie's primary means of enforcing sandbox restrictions, when this is disabled the box is operated in the application compartment mode, i.e. it’s no longer providing reliable security, just simple application compartmentalization.
true
-
Open access to Windows Local Security Authority
-
Allow sandboxed programs to manage Hardware/Devices
-
Qt::Vertical
20
40
-
Disable Security Isolation (experimental)
-
Various advanced isolation features can break compatibility with some applications. If you are using this sandbox <b>NOT for Security</b> but for simple application portability, by changing these options you can restore compatibility by sacrificing some security.
true
-
Qt::Horizontal
40
20
-
Open access to Windows Security Account Manager
-
75
true
true
Protect the sandbox integrity itself
Security Isolation & Filtering
-
Disable Security Filtering (not recommended)
-
Security Filtering used by Sandboxie to enforce filesystem and registry access restrictions, as well as to restrict process access.
true
-
The below options can be used safely when you don't grant admin rights.
true
-
75
true
true
Protect the sandbox integrity itself
Access isolation
Auto Exec
-
Add Command
-
Qt::Vertical
20
40
-
Remove
-
Here you can specify a list of commands that are executed every time the sandbox is initially populated.
true
-
50
false
true
Hide Processes
-
Qt::Vertical
20
40
-
Add Process
-
-
Hide host processes from processes running in the sandbox.
true
-
Remove
-
Don't allow sandboxed processes to see processes running in other boxes
50
false
true
Users
-
Restrict Resource Access monitor to administrators only
-
Add User
-
Qt::Vertical
20
40
-
-
Remove User
-
Add user accounts and user groups to the list below to limit use of the sandbox to only those accounts. If the list is empty, the sandbox can be used by all user accounts.
Note: Forced Programs and Force Folders settings for a sandbox do not apply to user accounts which cannot use the sandbox.
true
Tracing
-
-
API call trace (requirers logapi to be installed in the sbie dir)
-
Qt::Horizontal
40
20
-
Pipe Trace
-
Qt::Vertical
20
40
-
Log all SetError's to Trace log (creates a lot of output)
-
Qt::Horizontal
40
20
-
Log Debug Output to the Trace Log
-
Log all access events as seen by the driver to the resource access log.
This options set the event mask to "*" - All access events
You can customize the logging using the ini by specifying
"A" - Allowed accesses
"D" - Denied accesses
"I" - Ignore access requests
instead of "*".
Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop
true
-
Ntdll syscall Trace (creates a lot of output)
-
File Trace
-
Disable Resource Access Monitor
-
IPC Trace
-
GUI Trace
-
75
true
true
Resource Access Monitor
-
20
16777215
-
75
true
true
Access Tracing
-
COM Class Trace
-
Key Trace
-
Network Firewall
50
false
true
Debug
-
true
0
0
98
28
0
0
0
0
-
75
true
true
WARNING, these options can disable core security guarantees and break sandbox security!!!
true
-
These options are intended for debugging compatibility issues, please do not use them in production use.
true
App Templates
-
-
0
Compatibility Templates
-
-
Filter Categories
Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter
-
-
Text Filter
-
Add Template
-
This list contains a large amount of sandbox compatibility enhancing templates
true
-
-
Remove Template
-
Qt::Vertical
20
40
-
true
Category
Name
Template Folders
-
-
Configure the folder locations used by your other applications.
Please note that this values are currently user specific and saved globally for all boxes.
-
Qt::Vertical
20
40
-
Name
Value
Accessibility
-
-
To compensate for the lost protection, please consult the Drop Rights settings page in the Restrictions settings group.
-
Screen Readers: JAWS, NVDA, Window-Eyes, System Access
-
The following settings enable the use of Sandboxie in combination with accessibility software. Please note that some measure of Sandboxie protection is necessarily lost when these settings are in effect.
true
-
Edit ini Section
-
Edit ini
false
-
false
Cancel
-
Qt::Horizontal
40
20
-
false
Save
-
QPlainTextEdit::NoWrap
-
-
QDialogButtonBox::Apply|QDialogButtonBox::Cancel|QDialogButtonBox::Ok
tabs
tabWidget
cmbBoxIndicator
cmbBoxBorder
btnBorderColor
spinBorderWidth
treeRun
btnAddCmd
btnDelCmd
chkCopyLimit
chkNoCopyWarn
chkAutoEmpty
chkProtectBox
treeAutoStart
btnAddAutoExe
btnAddAutoSvc
btnDelAuto
treeGroups
btnAddGroup
btnAddProg
btnDelProg
treeForced
btnForceProg
btnForceDir
chkShowForceTmpl
btnDelForce
treeStop
btnAddLingering
btnAddLeader
chkShowStopTmpl
btnDelStopProg
radStartAll
radStartExcept
radStartSelected
treeStart
btnAddStartProg
btnDelStartProg
chkStartBlockMsg
chkINetBlockPrompt
treeINet
btnAddINetProg
btnDelINetProg
chkINetBlockMsg
treeAccess
btnAddFile
btnAddKey
btnAddIPC
btnAddWnd
btnAddCOM
chkShowAccessTmpl
btnDelAccess
chkAutoRecovery
treeRecovery
btnAddRecovery
btnAddRecIgnore
btnAddRecIgnoreExt
chkShowRecoveryTmpl
btnDelRecovery
tabsAdvanced
chkPreferExternalManifest
chkNoWindowRename
lstAutoExec
btnAddAutoExec
btnDelAutoExec
chkHideOtherBoxes
lstProcesses
btnAddProcess
btnDelProcess
lstUsers
btnAddUser
btnDelUser
chkMonitorAdminOnly
chkFileTrace
chkPipeTrace
chkKeyTrace
chkIpcTrace
chkGuiTrace
chkComTrace
chkDbgTrace
scrollArea
treeTemplates
cmbCategories
txtTemplates
btnEditIni
txtIniSection
btnSaveIni
btnCancelEdit